From patchwork Thu Dec  1 18:17:32 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ardb@kernel.org>
X-Patchwork-Id: 13061908
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 82B10C4332F
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu,  1 Dec 2022 23:07:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=7AZYX56QZcjPgNsb4ojYqIqANV1k5YBBmG52FWNwZ3o=; b=ZRN9F2Fhc+BgKp
	tvGGbDnQuJnrFrSTDqr4RBbGc+ZHdXp2KbaOFs81suMq1FZQ/u7Z1kNEhRfYNc9WMOyyxosmBMF/j
	wgyfqOwUYN4i08Asf5+IhMVOlQitc09H8f95H6IcVRk79BVMQ1/aOwW0EFCAbhvZ4HblEK599W5y6
	GAoG6aOKZt9kXXvbLSAIthaNCpwF/SooRuk4m72xua8sg2YekY8MLwBRqAGZQjW9pztu18/J1lq3B
	VChvYcDNHqPFphJhUqjyXKlLT4mmEny78TykzEaml3K/SPEnSSRP6QrRCCMPoz+bl1ZmubCEUf+ld
	IVqJhgzoF2wW/D0LgHzg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1p0sdI-00BXCv-0C; Thu, 01 Dec 2022 23:06:20 +0000
Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1p0o7u-009YiU-FY
	for linux-arm-kernel@lists.infradead.org; Thu, 01 Dec 2022 18:17:40 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id F3F5A620BC;
	Thu,  1 Dec 2022 18:17:37 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C876CC43154;
	Thu,  1 Dec 2022 18:17:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1669918657;
	bh=cs9qEKPEB97HuMnIFe5dIMbDKzUbrDY36nJ+leMNS30=;
	h=From:To:Cc:Subject:Date:From;
	b=uZvDjn6HE4zQm17pubwTwz8gykWOeAruzgZomA8EGmCDDUiogwoYLWggrcfUNU+oo
	 8syQ34FxfMhkEyOjHVkmcS7HFram8T+dvb01T9/sTo0HZx/SGNRSSidLD29g2YMRTD
	 VkDvoefHnRT7HgOkWkHivsgpDNrq+BCqfOazb96R3fcp6q6j3mp0uWbrfJJEwfNMs0
	 ZSMai1R6GRYkHs6Etk7UWLn0BdUYkWV60V4VPBFsf4DP+eNKe6Y0Q/9Ddov11ZNMNe
	 tydkfKNzkuPrtsqjWOcHNo9eHhwr9yRJ03MveaXSXVVjRWhV1j1/il4R49rqCdJEJN
	 nNIWLI8vUX6qg==
From: Ard Biesheuvel <ardb@kernel.org>
To: linux-arm-kernel@lists.infradead.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Kees Cook <keescook@chromium.org>
Subject: [RFC PATCH v2] arm64: ftrace: Add shadow call stack protection
Date: Thu,  1 Dec 2022 19:17:32 +0100
Message-Id: <20221201181732.3063859-1-ardb@kernel.org>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2790; i=ardb@kernel.org;
 h=from:subject; bh=cs9qEKPEB97HuMnIFe5dIMbDKzUbrDY36nJ+leMNS30=;
 b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjiO+7h3JMeZLz0mFnjl/zyuHUHl6b86UacULQS0s4
 yfL9a4uJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY4jvuwAKCRDDTyI5ktmPJO9ADA
 C5aayu7vlquM30tCIVa70gn2HcwtKwTXXTemoZ22LqBrtSgJWVmax3NlXwLldPr+iX9JevhMkctU2k
 J1bApIIQAzmTHtSx2QRjIIyJn0rzasyUEBMRS0ELw43eajr9tbASndH1iK4uTfVWz20HeHZC4bRDwC
 hRQjADoImMyJ3Y1dw1RT2gnOcCMvb1iq9KlQc3ytsdQqUNkfjP9FU1c5Acl65capE3FdS8fzg5ZGbY
 NBSHbQCk8xMTiAw9d72k6PErlzGDii06nQbZ6UAXqI5RyCpzGQinTUf5ncHENFbg+dWTbYUzWd9orC
 K42vmxYpL3iLXcI6DY3egkYyrnvEAGueFz1VEJ0j9+8gyGuReTpgUYVxyoppdGlbDf6zroFC3QEEfQ
 YDqenviiT/cTz5aZtH9SGNBwHxQo9tpG0HxbU7ltuXPLv/QofmQ1202bmH6HY9slIAU1HinUqT9OAO
 fj7gkPyo1TOlveGMe+ZzLfFSBxdbiaVQTaGoDu/2kmUik=
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20221201_101738_658066_AD9D79EA 
X-CRM114-Status: GOOD (  16.54  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

The low-level ftrace code performs some manipulations of the return
address that might be vulnerable to abuse as a gadget. We'd prefer to
protect this code using PAC where we can, but due to the fact that this
breaks pointer equality in ways that may interfere with the operation of
ftrace in particular or the backtrace code in general, this needs some
more careful thought.

In the meantime, let's make the ftrace_caller() and return_to_handler()
routines a bit more robust when shadow call stacks are enabled, by
shadowing the return addresses that are captured and potentially
manipulated by ftrace.

Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
This supersedes "[PATCH 4/4] arm64: ftrace: Add return address
protection" sent out on the 29th of November.

 arch/arm64/kernel/entry-ftrace.S | 27 ++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S
index 30cc2a9d1757a6a7..4ce262e7d9456761 100644
--- a/arch/arm64/kernel/entry-ftrace.S
+++ b/arch/arm64/kernel/entry-ftrace.S
@@ -12,6 +12,7 @@
 #include <asm/assembler.h>
 #include <asm/ftrace.h>
 #include <asm/insn.h>
+#include <asm/scs.h>
 
 #ifdef CONFIG_DYNAMIC_FTRACE_WITH_ARGS
 /*
@@ -36,6 +37,11 @@
 SYM_CODE_START(ftrace_caller)
 	bti	c
 
+#if defined(CONFIG_SHADOW_CALL_STACK) && !defined(CONFIG_DYNAMIC_SCS)
+	/* Push the callsite's LR and the current LR to the shadow stack */
+	stp	x9, x30, [scs_sp], #16
+#endif
+
 	/* Save original SP */
 	mov	x10, sp
 
@@ -93,6 +99,24 @@ SYM_INNER_LABEL(ftrace_call, SYM_L_GLOBAL)
 	/* Restore the callsite's SP */
 	add	sp, sp, #FREGS_SIZE + 32
 
+#if defined(CONFIG_SHADOW_CALL_STACK) && !defined(CONFIG_DYNAMIC_SCS)
+#ifdef CONFIG_FUNCTION_GRAPH_TRACER
+	/*
+	 * The callsite's LR will be popped from the shadow call stack in
+	 * return_to_handler() if a return via that function was inserted into
+	 * the call stack by ftrace. That means we should leave the callsite's
+	 * LR on the shadow call stack, and only pop the return address that
+	 * takes us back to the callsite.
+	 */
+	adr	x10, return_to_handler
+	cmp	x10, x30
+	b.ne	0f
+	ldr	x9, [scs_sp, #-8]!
+	ret	x9
+#endif
+	/* Pop our return address and the callsite's LR from the shadow stack */
+0:	ldp	x30, x9, [scs_sp, #-16]!
+#endif
 	ret	x9
 SYM_CODE_END(ftrace_caller)
 
@@ -265,6 +289,9 @@ SYM_CODE_START(return_to_handler)
 	ldp x6, x7, [sp, #48]
 	add sp, sp, #64
 
+#if defined(CONFIG_SHADOW_CALL_STACK) && !defined(CONFIG_DYNAMIC_SCS)
+	ldr x30, [scs_sp, #-8]!
+#endif
 	ret
 SYM_CODE_END(return_to_handler)
 #endif /* CONFIG_FUNCTION_GRAPH_TRACER */